CamFlow was recently updated from v0.1.11 to v0.2.0. As you might notice by the big jump in numbers, there are some significant changes. I write this manual for installing and testing CamFlow v0.2.0. Commands used are specific to v0.2.0 of CamFlow.

## Installing Docker and CamFlow

1. Start with Fedora. I'm using Virtualbox, and using a Fedora 23 image from here: http://www.osboxes.org/fedora/
I use Fedora 23 because that's what CamFlow is tested on. The instructions page says it should be installable on other Linux variants also.  

2. Open the image in Virtualbox. I assign about 4GB of memory, on my 8G machine. Runs without a problem.  

3. Run the following commands in a terminal:
 ```bash
$ sudo dnf update
$ sudo dnf groupinstall 'Development Tools'
$ sudo dnf install ncurses-devel cmake clang gcc-c++ wget git openssl-devel zlib patch mosquitto
$ curl -fsSL https://get.docker.com/ | sh
$ sudo usermod -aG docker osboxes
$ sudo systemctl enable docker.service
$ sudo systemctl start docker
$ sudo docker run hello-world
 ```
 At this stage you should see the following:  
 <p style="color:gray; font-family:monospace">Hello from Docker!  
 This message shows that your installation appears to be working correctly. If so, proceed.  
 </p>

4. Install CamFlow
 ```bash
$ git clone https://github.com/CamFlow/camflow-install.git
$ cd camflow-install
$ make all
 ```
 at some point, an ncurses Linux Kernel Config blue screen will pop up. Scroll down to Security Options (see attached Screen1) and then scroll down to Camflow - Whole system provenance and select it (See attached Screen2). Then exit twice. Make should continue.
 <img src="Screen1.png" alt="Screen1" style="width: 400px;"/>
 <img src="Screen2.png" alt="Screen2" style="width: 400px;"/>

 Do something - run a half marathon, watch a movie, make dinner, something, anything... this could take a while. At a point, you will be required to enter the root password. Once entered, make will continue again and soon install and end. That's it. Now restart:

 ```bash
$ sudo reboot
 ```

5. You should now see a new option in the GRUB menu (see GrubScreen). Choose the one with kernel 4.9.5. This is the kernel with Camflow patched into it.
 <img src="GrubScreen.png" alt="GrubScreen" style="width: 500px;"/>

6. Test that you have the command line tools installed by typing 
 ```bash
$ camflow -v
 ```

 The response should be
 <p style="color:gray; font-family:monospace">CamFlow v0.2.0
 </p>

**Congratulations! The latest CamFlow was successfully installed.**  

A few points before we proceed:
1. All camflow commands require root permission. So use sudo for all camflow* commands.
2. The audit file is at /tmp/audit.log
3. By default, provenance capture is enabled. So even as we read this, /tmp/audit.log is about 100-200MB large and growing.
4. To disable the capture for now:
```
$ sudo camflow -e false
```

5. Try the command `$ camflow -h` to see all the options available. I reproduce the output here:
<img src="CamFlowHelp.png" alt="CamFlow Help"/>

## Docker, Python, Servers, and CamFlow

You will need multiple terminal tabs/windows for this. The python code for the two servers are listed after this installation section, in appendix A.  

Let's name our Terminals. Terminal A. In terminal A
```bash
$ docker run -p 49165:8080 -t -i python /bin/bash  
```

This should  
a) Download a python ready docker container on your Fedora VM  
b) Run the container and drop you into the shell  

```bash
root@1f3851fec9d9:/#
```

Open another terminal (Let's call it Terminal B) and do the following:  

```bash
$ docker ps
```

You should see something like the following:  
<pre style="color:gray; font-family:monospace">
CONTAINER ID		IMAGE			   COMMAND			 CREATED			 STATUS			  PORTS					 NAMES  
1f3851fec9d9		python			  "/bin/bash"		 26 minutes ago	  Up 26 minutes	   0.0.0.0:49165->8080/tcp   elegant_swartz  
</pre>

You want the CONTAINER ID. In this case: 1f3851fec9d9  
Copy files you downloaded for the proxy and server into the container:  

```bash
$ docker cp ~/Downloads/proxy.py 1f3851fec9d9:/
$ docker cp ~/Downloads/pyserver.py 1f3851fec9d9:/
```

Open Terminal A again, and verify that you see the files in the container.

```bash
root@1f3851fec9d9:/# ls
```

<pre style="color:gray; font-family:monospace">
bin   dev  home  lib64	mnt  proc      pyserver.py  run   srv  tmp  var
boot  etc  lib	 media	opt  proxy.py  root	    sbin  sys  usr
</pre>

Now that you see them, commit these changes to the container image with the following in Terminal B:

```bash
$ docker commit 1f3851fec9d9 camflow:server_proxy
$ docker images
```

<pre style="color:gray; font-family:monospace">
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
camflow             server_proxy        d8181764d0d7        24 minutes ago      688.4 MB
</pre>

You can now exit the prompt on Terminal A:

```bash
root@1f3851fec9d9:/# exit
```

Now test that all you've done so far is alright.  

Note the following details about the python proxy and server:  

|   	    |proxy.py		|pyserver.py|
|:-:	    |:-:			|:-:		|
|IP   	    |10.0.0.2		|10.0.0.2	|
|PORT       |8080			|8081		|
|python -v 	|python2 only	|python3 only|


```bash
#Create a docker network
$ docker network create --subnet=10.0.0.0/16 my-net

#Run the files to make sure they run OK.
$ docker run -p 49165:8080 --net=my-net --ip='10.0.0.2' -t -i camflow:server_proxy /bin/bash
root@0906059fcdfd:/# python2 proxy.py 
```

<pre style="color:gray; font-family:monospace">
serving at port 8080
</pre>

So that works. Hit Ctrl+C and

```bash
root@0906059fcdfd:/# exit

$ docker run -p 49166:8081 --net=my-net --ip='10.0.0.3' -t -i camflow:server_proxy /bin/bash
root@a98113c040a6:/# python3 pyserver.py 
```

<pre style="color:gray; font-family:monospace">
starting server...
running server...
</pre>

So that works. Hit Ctrl+C and

```bash
root@a98113c040a6:/# exit
```

## CamFlow test drive

Now, in two test trials I’ve seen my Fedora freeze so that I had no choice but to close VirtualBox and restart. I’m not sure what combo of commands causes this, or rather what combination doesn’t. What I note here is the order in which it worked last time. For all I currently know, maybe there are 3 mandatory system freezes before things can get started smoothly.  


Terminal 1
```bash
$ sudo camflow -e false
$ docker run -p 49165:8080 --net=my-net --ip='10.0.0.2' -t -i camflow:server_proxy /bin/bash
root@81e552cf28bf:/# python2 proxy.py
```
<pre style="color:gray; font-family:monospace">
('serving at port', 8080)
</pre>

Terminal 2
```bash
$ docker run -p 49166:8081 --net=my-net --ip='10.0.0.3' -t -i camflow:server_proxy /bin/bash
root@a0339b3fcbd8:/# python3 pyserver.py
```
<pre style="color:gray; font-family:monospace">
starting server...
running server...
</pre>

Terminal 3
```bash
$ wget http://localhost:49165
#<should succeed… an index.html gets saved>

$ sudo camflow --track-ipv4-ingress 0.0.0.0/0:49165 propagate
```
<pre style="color:gray; font-family:monospace">
Only apply to newly created connection.
</pre>

```bash
$ sudo camflow --track-ipv4-egress 0.0.0.0/0:49165 propagate
```
<pre style="color:gray; font-family:monospace">
Only apply to newly created connection.
</pre>

```bash
$ wget http://localhost:49165
#<should succeed… an index.html.1 gets saved>

$ sudo camflow -e true      #@Thomas - will capture work without this?

$ wget http://localhost:49165
#<should succeed… an index.html.2 gets saved>

$ ls -lh /tmp/audit.log 
```
<pre style="color:gray; font-family:monospace">
-rw-r--r--. 1 root root 291M Jan 25 04:16 /tmp/audit.log
</pre>

```bash
$ sudo rm /tmp/audit.log
$ sudo touch /tmp/audit.log
$ ls -lh /tmp/audit.log 
```
<pre style="color:gray; font-family:monospace">
-rw-r--r--. 1 root root 0 Jan 25 04:17 /tmp/audit.log
</pre>

~~~~bash
$ wget http://localhost:49165
#<should succeed… an index.html.3 gets saved>

$ ls -lh /tmp/audit.log
~~~~

<pre style="color:gray; font-family:monospace">
-rw-r--r--. 1 root root 51K Jan 25 04:18 /tmp/audit.log
</pre>

```bash
$ ls -lh /tmp/audit.log 
```
<pre style="color:gray; font-family:monospace">
-rw-r--r--. 1 root root 2.1M Jan 25 04:25 /tmp/audit.log
</pre>

```bash
$ cp /tmp/audit.log ./audit.log.exp0

$ wget http://localhost:49166/ 
#<should succeed… an index.html.4 gets saved>

$ cp /tmp/audit.log ./audit.log.exp1
$ ls -lh /tmp/audit.log 
```
<pre style="color:gray; font-family:monospace">
-rw-r--r--. 1 root root 1.5G Jan 25 05:04 /tmp/audit.log
</pre>

A thing to note here:  
I've listed /tmp/audit.log at various times to show how it grows even when you aren't doing any intended logging operations. In the example above, the file is 51K at 4:18, where it had 80 lines. Then it grew to 2.1M at 4:25. This is the copied file that I now have - audit.log.exp0. The first 80 lines of audit.log.exp0 correspond to the immediate effect of the server proxy interplay, while the rest - we need to look at what they log. Similarly, the last list shows how audit.log grows over time.


## Appendix A

## pyserver.py
```python
#!/usr/bin/env python3

from http.server import BaseHTTPRequestHandler, HTTPServer

# HTTPRequestHandler class
class testHTTPServer_RequestHandler(BaseHTTPRequestHandler):

  # GET
  def do_GET(self):
        # Send response status code
        self.send_response(200)

        # Send headers
        self.send_header('Content-type','text/html')
        self.end_headers()

        # Send message back to client
        message = 'Hello world 8081!'
        # Write content as utf-8 data
        self.wfile.write(bytes(message, 'utf8'))
        return

def run():
  print('starting server...')

  # Server settings
  # Choose port 8080, for port 80, which is normally used for a http server, you need root access
  server_address = ('10.0.0.3', 8081)
  httpd = HTTPServer(server_address, testHTTPServer_RequestHandler)
  print('running server...')
  httpd.serve_forever()

run()
```

## proxy.py

```python
#!/usr/bin/env python2
import SocketServer
import SimpleHTTPServer
import urllib

PORT = 8080

class Proxy(SimpleHTTPServer.SimpleHTTPRequestHandler):
    def do_GET(self):
        print self.path
        self.copyfile(urllib.urlopen("http://10.0.0.3:8081/"), self.wfile)

httpd = SocketServer.ForkingTCPServer(('10.0.0.2',PORT), Proxy)
print "serving at port",PORT
httpd.serve_forever()

```